Only view milestones from current repo (#18414) (#18418)

Backport #18414

The endpoint /{username}/{reponame}/milestone/{id} is not currently restricted to
the repo. This PR restricts the milestones to those within the repo.

Signed-off-by: Andrew Thornton <art27@cantab.net>
This commit is contained in:
zeripath 2022-01-26 22:09:35 +00:00 committed by GitHub
parent df57524c49
commit 9d9ad1b59f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 15 additions and 34 deletions

View file

@ -127,22 +127,6 @@ func GetMilestoneByRepoIDANDName(repoID int64, name string) (*Milestone, error)
return &mile, nil return &mile, nil
} }
// GetMilestoneByID returns the milestone via id .
func GetMilestoneByID(id int64) (*Milestone, error) {
return getMilestoneByID(x, id)
}
func getMilestoneByID(e Engine, id int64) (*Milestone, error) {
var m Milestone
has, err := e.ID(id).Get(&m)
if err != nil {
return nil, err
} else if !has {
return nil, ErrMilestoneNotExist{ID: id, RepoID: 0}
}
return &m, nil
}
// UpdateMilestone updates information of given milestone. // UpdateMilestone updates information of given milestone.
func UpdateMilestone(m *Milestone, oldIsClosed bool) error { func UpdateMilestone(m *Milestone, oldIsClosed bool) error {
sess := x.NewSession() sess := x.NewSession()

View file

@ -51,9 +51,8 @@ const (
issueTemplateTitleKey = "IssueTemplateTitle" issueTemplateTitleKey = "IssueTemplateTitle"
) )
var (
// IssueTemplateCandidates issue templates // IssueTemplateCandidates issue templates
IssueTemplateCandidates = []string{ var IssueTemplateCandidates = []string{
"ISSUE_TEMPLATE.md", "ISSUE_TEMPLATE.md",
"issue_template.md", "issue_template.md",
".gitea/ISSUE_TEMPLATE.md", ".gitea/ISSUE_TEMPLATE.md",
@ -61,7 +60,6 @@ var (
".github/ISSUE_TEMPLATE.md", ".github/ISSUE_TEMPLATE.md",
".github/issue_template.md", ".github/issue_template.md",
} }
)
// MustAllowUserComment checks to make sure if an issue is locked. // MustAllowUserComment checks to make sure if an issue is locked.
// If locked and user has permissions to write to the repository, // If locked and user has permissions to write to the repository,
@ -239,7 +237,7 @@ func issues(ctx *context.Context, milestoneID, projectID int64, isPullOption uti
} }
} }
var issueList = models.IssueList(issues) issueList := models.IssueList(issues)
approvalCounts, err := issueList.GetApprovalCounts() approvalCounts, err := issueList.GetApprovalCounts()
if err != nil { if err != nil {
ctx.ServerError("ApprovalCounts", err) ctx.ServerError("ApprovalCounts", err)
@ -422,7 +420,6 @@ func RetrieveRepoMilestonesAndAssignees(ctx *context.Context, repo *models.Repos
} }
func retrieveProjects(ctx *context.Context, repo *models.Repository) { func retrieveProjects(ctx *context.Context, repo *models.Repository) {
var err error var err error
ctx.Data["OpenProjects"], _, err = models.GetProjects(models.ProjectSearchOptions{ ctx.Data["OpenProjects"], _, err = models.GetProjects(models.ProjectSearchOptions{
@ -781,7 +778,7 @@ func NewIssue(ctx *context.Context) {
milestoneID := ctx.QueryInt64("milestone") milestoneID := ctx.QueryInt64("milestone")
if milestoneID > 0 { if milestoneID > 0 {
milestone, err := models.GetMilestoneByID(milestoneID) milestone, err := models.GetMilestoneByRepoID(ctx.Repo.Repository.ID, milestoneID)
if err != nil { if err != nil {
log.Error("GetMilestoneByID: %d: %v", milestoneID, err) log.Error("GetMilestoneByID: %d: %v", milestoneID, err)
} else { } else {
@ -865,7 +862,7 @@ func ValidateRepoMetas(ctx *context.Context, form forms.CreateIssueForm, isPull
// Check milestone. // Check milestone.
milestoneID := form.MilestoneID milestoneID := form.MilestoneID
if milestoneID > 0 { if milestoneID > 0 {
ctx.Data["Milestone"], err = repo.GetMilestoneByID(milestoneID) ctx.Data["Milestone"], err = models.GetMilestoneByRepoID(ctx.Repo.Repository.ID, milestoneID)
if err != nil { if err != nil {
ctx.ServerError("GetMilestoneByID", err) ctx.ServerError("GetMilestoneByID", err)
return nil, nil, 0, 0 return nil, nil, 0, 0
@ -2446,7 +2443,7 @@ func filterXRefComments(ctx *context.Context, issue *models.Issue) error {
// GetIssueAttachments returns attachments for the issue // GetIssueAttachments returns attachments for the issue
func GetIssueAttachments(ctx *context.Context) { func GetIssueAttachments(ctx *context.Context) {
issue := GetActionIssue(ctx) issue := GetActionIssue(ctx)
var attachments = make([]*api.Attachment, len(issue.Attachments)) attachments := make([]*api.Attachment, len(issue.Attachments))
for i := 0; i < len(issue.Attachments); i++ { for i := 0; i < len(issue.Attachments); i++ {
attachments[i] = convert.ToReleaseAttachment(issue.Attachments[i]) attachments[i] = convert.ToReleaseAttachment(issue.Attachments[i])
} }
@ -2460,7 +2457,7 @@ func GetCommentAttachments(ctx *context.Context) {
ctx.NotFoundOrServerError("GetCommentByID", models.IsErrCommentNotExist, err) ctx.NotFoundOrServerError("GetCommentByID", models.IsErrCommentNotExist, err)
return return
} }
var attachments = make([]*api.Attachment, 0) attachments := make([]*api.Attachment, 0)
if comment.Type == models.CommentTypeComment { if comment.Type == models.CommentTypeComment {
if err := comment.LoadAttachments(); err != nil { if err := comment.LoadAttachments(); err != nil {
ctx.ServerError("LoadAttachments", err) ctx.ServerError("LoadAttachments", err)

View file

@ -268,7 +268,7 @@ func DeleteMilestone(ctx *context.Context) {
// MilestoneIssuesAndPulls lists all the issues and pull requests of the milestone // MilestoneIssuesAndPulls lists all the issues and pull requests of the milestone
func MilestoneIssuesAndPulls(ctx *context.Context) { func MilestoneIssuesAndPulls(ctx *context.Context) {
milestoneID := ctx.ParamsInt64(":id") milestoneID := ctx.ParamsInt64(":id")
milestone, err := models.GetMilestoneByID(milestoneID) milestone, err := models.GetMilestoneByRepoID(ctx.Repo.Repository.ID, milestoneID)
if err != nil { if err != nil {
if models.IsErrMilestoneNotExist(err) { if models.IsErrMilestoneNotExist(err) {
ctx.NotFound("GetMilestoneByID", err) ctx.NotFound("GetMilestoneByID", err)